PHI of 300,000 SSM Health Patients Exposed

Approximately 300,000 patients of SSM Health St. Mary’s Hospital in Jefferson City, Missouri have been informed that some of their protected health information (PHI) was left unsecured and unauthorized persons may have viewed it.

St. Mary’s Hospital relocated to a new facility on November 16, 2014. All the medical records of patients were transferred to the new facility and were secured at all times; however,some documents containing patients’ PHI were left at the old facility, which has been scheduled to be demolished. On June 1, 2018, it was brought to the attention of SSM Health that not all documents had been been removed.

The documents contained only a limited quantity of PHI. For most patients, only their names and medical record numbers were exposed. Certain patients had clinical information, demographic data, and financial data compromised.

Because of the huge number of records involved, the hospital hired a document services company to check all the paperwork to find out which patients were affected. It was only recently that St. Mary’s Hospital was given a reliable figure of the number of patients impacted by the breach. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 301,000 patients had their PHI exposed.

Security measures were in place at the old facility, but the investigation showed those safeguards were most likely not enough to prevent unauthorized access to the facility and therefore the PHI that had been left behind. It was not possible to determine, with total certainty, that PHI had not been accessed or removed from the site.

Although the incident was considered as a data breach and patient notifications were warranted, SSM Health believes there is no significant risk of misuse of the patients’ information due to the nature of data that was exposed and the age of the information.

The hospital has already taken the necessary steps to make sure privacy breaches do not happen again in the future and policies and procedures regarding the storage, retention, and destruction of protected health information has been reviewed and revised accordingly.